22 lines
936 B
Plaintext
22 lines
936 B
Plaintext
Locking an account which has had too many sequential, failed login attempts within a short time can help resist brute force attacks. This rule raises an issue on authentication code so that such controls can be verified.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,text]
|
|
----
|
|
env.put(Context.SECURITY_PRINCIPAL, principal);
|
|
env.put(Context.SECURITY_CREDENTIALS, password);
|
|
|
|
DirContext ctx = new InitialDirContext(env); // Noncompliant
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
|
|
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
|
|
* https://cwe.mitre.org/data/definitions/307[MITRE, CWE-307] - Improper Restriction of Excessive Authentication Attempts
|
|
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
|
|
|